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IN THE CLAIMS 

Please amend the claims as follows: 



1 . (Previously Presented) In a system having a computer and one or more security 
mechanisms, a computer-implemented method of defining and enforcing a security policy, the 
method comprising: 

encapsulating security mechanism application specific information for each security 
mechanism, wherein encapsulating includes forming a key for each security mechanism; 
combining keys to form key chains; 

encapsulating key chains as keys and passing the key chain keys to another semantic 

layer; 

defining the security policy, wherein defining includes forming key chains from keys and 
associating users with key chains; 

executing, within a computer, translation software, wherein the translation software 
translates the security policy and exports the translated security policy to the security 
mechanisms; and 

enforcing the security policy via the security mechanisms. 

2. (Original) The method of claim 1 wherein the security mechanisms are located on one or 
more distributed computer networks. 

3. (Original) The method of claim 1 wherein the security mechanisms are heterogeneous. 

4. (Original) The method of claim 1 , wherein defining the security policy further includes 
drilling down into a next lower semantic layer to form a new key chain. 



5 . (Original) The method of claim 1 wherein the security policy is defined using a 
graphical user interface. 
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6. (Currently Amended) A computer-based security system for a computer networkjhe 
computer-based security system comprising: 

a computer; 

a plurality of security mechanisms; 

a plurality of semantic layers within a model implemented on the computer network, 
wherein the two or more of the semantic layers include keys combinable into key chains, the key 
chains are able to be encapsulated as key chain keys, and the key chain keys are exportable to 
another semantic layer, wherein each key encapsulates security mechanism application specific 
information for a security mechanism; 

a user interface for defining a security policy as a function of keys received from a lower 
semantic layer; and 

a translato r, implemented on the computer, for translating the security policy to the 
security mechanisms. 

7. (Original) The system according to claim 6 wherein the user interface is a graphical user 
interface. 

8. (Original) The system according to claim 6 wherein the security policy is a role-based 
access control model. 

9. (Original) The system of claim 6 wherein the semantic layers form a poset. 

1 0. (Original) The system of claim 6 wherein the user interface includes means for drilling 
down into a lower semantic layer to form a new key chain. 

1 1 . (Currently Amended) A computer-based security system for a computer networkjhe 
computer-based security system comprising: 

a computer; 

a model implemented on the computer network, the model comprising semantic layers 
for defining different security policies and constraints for each type of user; 
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a tool for manipulating the model, wherein the tool is configured to: 

encapsulate security mechanism application specific information for each 

security mechanism, wherein encapsulating includes forming a key for each security 

mechanism; 

combine keys to form key chains; 

encapsulate key chains as key chain keys within two or more semantic layers; 
pass the key chain keys to other semantic layers; 
form user key chains from the key chain keys; and 
associate users with the user key chains; and 
a translato r, implemented on the computer, for translating security policies from the 
model to security mechanisms in one or more computer resources. 

12. (Previously Presented) The system of claim 1 1 wherein the model comprises a static 
application policy layer, two or more semantic policy layers, and a dynamic local policy layer. 

13. (Previously Presented) The system of claim 1 1 wherein the model represents a set of 
access rights for a computer resource as a key and the model represents a set of keys as a key 
chain. 

14. (Previously Presented) A computer-implemented method of defining a security policy, 
the method comprising: 

defining an application policy layer and a plurality of semantic policy layers, including a 
first semantic policy layer and a second semantic layer; 

encapsulating a set of access rights for a computer resource as a key; 

combining keys to form one or more key chains within the application policy layer; 

executing software within a computer to export key chains in the application policy layer 
as a key; 

importing at least one key from the application policy layer into the first semantic policy 

layer; 

combining one or more keys in the first semantic policy layer to form a key chain; 
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exporting key chains in the first semantic policy layer as keys; 
importing at least one key into the second semantic policy layer; 
combining one or more keys in the second semantic policy layer to form a key chain; 
exporting key chains in the second semantic policy layer as keys; 
importing at least one key from the second semantic policy layer to a local policy layer; 
combining one or more keys in the local policy layer to form one or more local policy 
key chains; and 

assigning users to local policy key chains in the local policy layer. 

15. (Original) The method of claim 14 wherein combining one or more keys to form a key 
chain includes combining a key chain with the one or more keys to form another key chain. 

16. (Original) The method of claim 14 wherein combining one or more keys in the first 
semantic layer includes combining a key chain with the one or more keys to form another key 
chain. 

1 7. (Original) The method of claim 14 wherein combining one or more keys to form a key 
chain includes associating a constraint with the key chain, wherein the constraint must be 
satisfied before access to a computer resource governed by the key chain is granted. 

18. (Original) The method of claim 14 wherein encapsulating includes grouping methods 
into handles and handles into keys. 

19. (Original) The method of claim 18 wherein each key chain includes handles for different 
computer resources. 

20. (Original) The method of claim 14 wherein combining one or more keys to form a key 
chain includes marking the key chain as abstract, wherein key chains marked as abstract are not 
exported to other layers. 



AMENDMENT AND RESPONSE UNDER 37 CFR § 1.1 11 Page 6 

Serial Number: 09/483,164 Dkt: 105.174US1 

Filing Date: January 14, 2000 

Title: LOCALLY ADAPTABLE CENTRAL SECURITY MANAGEMENT IN A HETEROGENEOUS NETWORK ENVIRONMENT 

21 . (Original) The method of claim 14 further comprising combining one or more keys and 
key chains in the local policy layer to form a new key chain in the local policy layer. 

22. (Previously Presented) A computer-implemented method of defining a security policy, 
the method comprising: 

defining an application policy layer and a semantic policy layer; 
encapsulating a set of access rights for a computer resource as a key; 
combining keys to form one or more key chains within the application policy layer; 
executing software within a computer to export key chains in the application policy layer 
as a key; 

importing at least one key from the application policy layer into the semantic policy 

layer; 

combining one or more keys in the semantic policy layer to form a key chain; 
exporting key chains in the semantic policy layer as keys; 
importing at least one key from the semantic policy layer to a local policy layer; 
combining one or more keys in the local policy layer to form one or more local policy 
key chains; and 

assigning users to local policy key chains in the local policy layer. 

23. (Original) The method of claim 22 wherein combining one or more keys in the semantic 
policy layer to form a key chain includes combining a key chain with the one or more keys to 
form another key chain. 

24. (Original) The method of claim 22 wherein combining one or more keys in the local 
policy layer to form a key chain includes combining a key chain with the one or more keys to 
form another key chain. 



25 . (Original) The method of claim 22 wherein combining one or more keys in the semantic 
policy layer to form a key chain includes associating a constraint with the key chain, wherein the 
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constraint must be satisfied before access to a computer resource governed by the key chain is 
granted. 

26. (Original) The method of claim 22 wherein combining one or more keys in the local 
policy layer to form a key chain includes associating a constraint with the key chain, wherein the 
constraint must be satisfied before access to a computer resource governed by the key chain is 
granted. 

27. (Original) The method of claim 22 wherein encapsulating includes grouping methods 
into handles and handles into keys. 

28. (Original) The method of claim 27 wherein each key chain includes handles for different 
computer resources. 

29. (Original) The method of claim 22 wherein combining one or more keys to form a key 
chain includes marking the key chain as abstract, wherein key chains marked as abstract are not 
exported to other layers. 

30. (Original) The method of claim 22 further comprising combining one or more keys and 
key chains in the local policy layer to form a new key chain in the local policy layer. 

3 1 . (Previously Presented) A computer-implemented method of modifying a security policy, 
the method comprising: 

defining an application policy layer and a semantic policy layer; 
encapsulating a set of access rights for a computer resource as a key; 
combining keys to form one or more key chains within the application policy layer; 
executing software within a computer to export key chains in the application policy layer 
as a key; 

importing at least one key from the application policy layer into the semantic policy 

layer; 
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combining one or more keys in the semantic policy layer to form a key chain; 
exporting key chains in the semantic policy layer as keys; 
importing at least one key from the semantic policy layer to a local policy layer; 
combining one or more keys in the local policy layer to form one or more local policy 
key chains; 

assigning users to local policy key chains in the local policy layer; 
constructing a role hierarchy by sorting the key chains into a partial ordering based on set 
containment; 

displaying the partial ordering as a role hierarchy graph; and 
adding and deleting keys from the role hierarchy graph. 

32. (Original) An article comprising a computer readable medium having instructions 
thereon, wherein the instructions, when executed in a computer, create a system for executing the 
method of claim 1. 



33. (Original) An article comprising a computer readable medium having instructions 
thereon, wherein the instructions, when executed in a computer, create a system for executing the 
method of claim 14. 



34. (Original) An article comprising a computer readable medium having instructions 
thereon, wherein the instructions, when executed in a computer, create a system for executing the 
method of claim 22. 



35. (Original) An article comprising a computer readable medium having instructions 
thereon, wherein the instructions, when executed in a computer, create a system for executing the 
method of claim 31. 



36-38. (Canceled) 



